Hello!
Presently the API’s authentication mechanism is vulnerable to a variety of attacks. Once a 3rd party obtains your API key, it’s essentially game over. If the API is to maximize its utility (e.g. for automated submission of accounts with the merging of the XML gateway functionality) it realistically requires a better authentication model.
So, I would like to recommend JSON Web Signatures as used by, for example, the Let’s Encrypt ACME protocol (which is used for automated issuing of SSL certificates).
To give a quick summary of how it works, it’s like so:
-
The client generates a public/private keypair. E.g. A Secp256k1 pair (as used by Bitcoin).
-
The public key is registered with their account. In many instances, the public key “is” the account, however the ability to replace the keypair is generally favourable.
-
Requests are structured as a JSON object, including a signature created with the private key as proof of authenticity. Typically ECDSA.
-
The JWS header contains a nonce (it is often just a timestamp for ‘linear’ APIs) to block replay attacks.
JWS is generally a very promising approach for unattended APIs mainly because of its simplicity; by comparison, OAuth is very easy to get wrong. If it’s unattended then it can also happen more regularly, potentially providing CH with more realtime information and making it considerably easier for small business owners like me, especially if HMRC also used the same structure with their API too.
Fantastic work so far anyway! I can’t wait to see where the Government takes these APIs next.
All the best,
Luke